Cyberspace is a scary landscape, and it is becoming scarier each day. While people stay (mostly) the same, the technology keeps evolving. In this talk we’ll discuss this challenge - How can we utilize effective UX design to provide a safer online environment? What can we do to make people feel secure? Which techniques enhance online security, and which common practices are ineffective and should be discarded?
2. Virus, Malware, Spyware, Ransomware,
Identity theft, Worms, Trojan horses,
Heartbleed, Golden Ticket,
Pass-the-Hash…
Cyber Security: The Risks
2
3. Ran Liron
Head of UX at CYBERARK
And also…
UX Program Lead @ The Technicon,
Continuing Education Division
UX Mentor @Google Launchpad
Uxing for more then 20 years
3
6. 231 security experts Where asked:
The Result:
152 Security Advice…
Security Experts Recommendations
“What are the top three pieces of advice
you’ll give to a non-techsavvy user”?
Google research:
152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users
7. Password matters
Advice #2: “Use unique passwords”
Advice #3: “Use strong passwords”
Security Experts Recommendations
Google research:
152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users
8.
9. At least:
▪ 8 characters.
▪ 1 lowercase
▪ 1 Uppercase letter.
▪ 1 special character (!@#$%^&*)
▪ 1 number (0–9)
Common Password’s requirements
9
10. Common password display method:
The problem:
- Requiring strange, meaningless yet complex string
- The user never sees the password
So….
Very hard to remember.
Defensive Tools: Password
10
********
18. ▪Only you know your own history
▪ You don’t have to memorize it
▪ Users will answer truthfully
If only we were …
Security Questions: The Assumptions
18
20. only you know your own history?
Security Questions: The Reality
Nope
20
21. Security Questions: The Reality
37% admitted to providing fake answers,
in an attempt to make them "harder to guess"
40% of our English-speaking US users
were unable to recall their answers
Google research – “Secrets, Lies, and Account Recovery:
Lessons from the use of personal knowledge questions at google”
33. Don’t torment your users!
all of the password
requirements should be
displayed together
33
34. Password criteria:
Start with a letter
Include upper-case letter
Include lower-case letter
Include special Character (!@#$...)
Include number
at least 8 characters
Setting a password: Instructing the user
Set Password:
Confirm Password:
*******
********
Password criteria:
✘ Start with a letter
✘ Include upper-case letter
✘ Include lower-case letter
✘ Include special Character (!@#$...)
✘ Include number
✘ at least 8 characters
Nope!
Password criteria:
✘ Start with a letter
✔ Include upper-case letter
✔ Include lower-case letter
✘ Include special Character (!@#$...)
✘ Include number
✔ at least 8 characters
Password criteria:
✘ Start with a letter
✔ Include upper-case letter
✔ Include lower-case letter
✔ Include special Character (!@#$...)
✔ Include number
✔ at least 8 characters
Password criteria:
✔ Start with a letter
✔ Include upper-case letter
✔ Include lower-case letter
✔ Include special Character (!@#$...)
✔ Include number
✔ at least 8 characters
************************
34
35. A way to create passwords
that is both secured
And
easy to remember
And
has almost no requirements…
If only there was…
35
36. Try to remember this:
Now try this:
There is a way!
36
********
**********************
37. Try to remember this:
Now try this:
There is a way!
37
********
I love my fluffy bunny
38. Why passphrase is better then password?
Set Password:
***********************
We recommend to use a meaningful phrase.
You may use any character, include spaces.
Minimum 20 characters total.
For example: “I love my fluffy bunny”.
This is nice and simple
38
39. Why Passphrase is Better
Then Password?
Longer = More secured
Easier to remember =
More convenient AND more secured
39
42. Fingerprints, face recognition, eyes scan,
signature & typing recognition, vein recognition,
voice recognition, DNA matching…
and even odor based identification
There are A LOT of biometric methods...
-42-
43. ▪ Secured
▪ Nothing to remember
▪ No need to manage or change
Biometrics – advantages
-43-
44. ▪ Some methods requires hardware
▪ Can’t be changed if compromised
▪ Privacy & security issues
▪ Might be disturbed by Injuries
▪ User acceptance
Biometrics – disadvantages
-44-
49. Drive effective user behavior to increase security:
1. Don’t use security questions, nor CAPTCHA
2. Display all the password requirements together
3. Allow users to see their passwords
4. Promote using passphrases instead of password
5. Consider using biometric identification methods
6. Encourage users to keep their software up-to-date
Takeaways
51. ▪ Google research:
▪ 152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users
▪ Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge
Questions at Google
▪ Are you a robot? Introducing “No CAPTCHA reCAPTCHA”
▪ mozilla's blog: Exploring the Emotions of Security, Privacy and Identity
▪ SogetiLabs Blog: UX & Security, Part 2: Account Registration
▪ I’m not a human: Breaking the Google reCAPTCHA
▪ Michael Mcintyr: Comedy Gala
Reference
51